CTF-200-07

Target IP: 192.168.250.28
Challenge Description: N/A.


Reconnaissance

7e876fc7c940f4d11dcb9a7e573ee590.png
Performing a port scan shows there are two TCP ports open on the target machine: SSH and HTTP, as shown above.

5ece935d49630683a5a2e2a37d7bd318.png
Performing an aggressive port scan against the two open TCP ports returns the result above. I will start enumeration with the HTTP application on port 80.


Enumeration

Port 80: HTTP
9bdbd74d4e8b0d3529af68be56070b9b.png
The webpage above is displayed for this web application. It seems to be powered by PluXml. There is one article created by the user admin, as shown above.

46a9186bcc1608ede3a1f07ede691862.png
I performed a source-code review and found the interesting information above. Is the application version 5.8.7?

d6a20fbfce102123367421c72118f792.png
I also found the location of the administration panel at http://192.168.250.28/core/admin through the source-code.

7a2932a9754e7946819dc1ce815d356a.png
Doing a Google search for the default credentials of this application returns it is admin:admin. And using this, I gained access to the web application as the admin user as shown above. Also, the version of the application is 5.8.7!


Exploitation

3fc60d80234c27b5de1efa005efb29c5.png
I notice the static pages are the webpages that can be modified as the admin user. Maybe I can create a PHP file with a webshell? In the image above, I created a new static page called shell. I also changed the Active dropdown to Yes. Underneath the Action label, I can press the Edit button to modify the page.

50ab1a40ad47ee1eb517bc26b2385f70.png
In the image above, I started off with a basic PHP code to see the output of whoami. I want to see if the web application executes the command or not.

aa6fdebb5c01ffbcd110c1abea8352c8.png
And bingo! The web application executed the command and output the hostname www-data when I viewed the Shell static page I created. Time to obtain a reverse shell connection now.

cd8fff29d542d2ed4d21fcd8c56a7082.png
I inserted PHP Pentest Monkey reverse shell script inside the Shell static page I created. After doing this, I started a listener on my machine at port 8443 for the reverse shell connection.

2d9e2113654e732780a487a7c9e34fd0.png
Nice! I browsed to http://192.168.250.28/index.php?static2/shell and got a reverse shell connection on my machine at port 8443 with the session as the user www-data as shown above. Now I have a foothold on the target machine.


Privilege Escalation

4b6ec4bfc82cb669d677c2a95b4454ce.png
I transferred Linpeas to the target machine and executed it. It found interesting binaries such as write.ul and exim4 with SUID bit set, but I had no luck trying to escalate privileges to root using these. I notice there are a few mail applications on the target machine.

800f64eaf38c4c036622df82135e689c.png
I executed the command mail and there is an email left by the user administrator which contains the credentials of the user root, as shown above. This email talks about DDoS attack and it contains the password 6s8kaZZNaZZYBMfh2YEW of the user root.

206e51391b33731c30357e2964a6e0df.png
Using su and this new password, I managed to successfully switch user to root as shown above. Now I have a root access on the target machine :)


Flags

8d91c6106451279f0c681978736e4e5d.png
The local.txt flag is shown above.

222335bc125666d4c17a5c41febef7e0.png
The proof.txt flag is shown above.